ESAs publish final report on DORA draft technical standards
26 July 2024 Europe
Image: Cozine/stock.adobe.com
The three European Supervisory Authorities (ESAs) have published a joint report on the draft regulatory technical standards (RTS), finalising the second batch of regulatory products under the Digital Operational Resilience Act (DORA).
This final report specifies the elements which a financial entity needs to determine and assess, when subcontracting information and communication technology (ICT) services supporting “critical or important” functions, under DORA.
These RTS aim to enhance the digital operational resilience of the EU financial sector by strengthening the financial entities’ ICT risk management over the use of subcontracting.
According to the ESAs, the RTS specify the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers.
In particular, they require financial entities to assess the risks associated with subcontracting during the pre-contractual phase, including the due diligence process.
The Article 30(2)(a) of Regulation (EU) 2022/2554 mandates that financial entities must clearly and fully describe all of the functions and services provided by the third-party ICT service within contractual agreements.
They must also outline the conditions under which subcontracting is permitted.
The report discusses feedback from various respondents and the adjustments made to the draft RTS, including clarification of criteria for risk assessment and the conditions under which financial entities can terminate contracts with ICT service providers.
The ESAs will now submit the draft RTS to the European Commission for adoption.
This final report specifies the elements which a financial entity needs to determine and assess, when subcontracting information and communication technology (ICT) services supporting “critical or important” functions, under DORA.
These RTS aim to enhance the digital operational resilience of the EU financial sector by strengthening the financial entities’ ICT risk management over the use of subcontracting.
According to the ESAs, the RTS specify the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers.
In particular, they require financial entities to assess the risks associated with subcontracting during the pre-contractual phase, including the due diligence process.
The Article 30(2)(a) of Regulation (EU) 2022/2554 mandates that financial entities must clearly and fully describe all of the functions and services provided by the third-party ICT service within contractual agreements.
They must also outline the conditions under which subcontracting is permitted.
The report discusses feedback from various respondents and the adjustments made to the draft RTS, including clarification of criteria for risk assessment and the conditions under which financial entities can terminate contracts with ICT service providers.
The ESAs will now submit the draft RTS to the European Commission for adoption.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Թ Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Թ Finance Times